Full Report
A new malware family is turning forgotten home routers into a distributed reconnaissance and proxy network, not the DDoS botnet these devices usually end up in. QiAnXin's XLab calls it AryStinger and counts at least 4,300 infected routers, a total it says is still rising. The distinction matters. AryStinger exists for the stage of an attack that comes before the break-in. Infected
Analysis Summary
# Tool/Technique: AryStinger
## Overview
AryStinger is a newly identified malware family designed to transform end-of-life (EOL) home routers and NAS devices into a global distributed reconnaissance and proxy network. Unlike typical IoT botnets used for DDoS attacks, AryStinger functions as an "Operational Relay Box" (ORB) network used for the pre-exploitation phase of attacks, facilitating internet-wide scanning, service fingerprinting, and traffic tunneling to mask attacker activity.
## Technical Details
- **Type:** Malware family / Botnet (Reconnaissance & Proxy)
- **Platform:** Linux-based IoT devices (Realtek RTL819X chips) and QNAP NAS systems.
- **Capabilities:** Mass DNS scanning, traffic tunneling, subdomain enumeration, and on-demand command execution.
- **First Seen:** March 12, 2026 (Initial discovery by QiAnXin XLab).
## MITRE ATT&CK Mapping
- **[TA0007 - Discovery]**
- [T1046 - Network Service Discovery]
- [T1595 - Active Scanning]
- **[TA0009 - Collection]**
- [T1005 - Data from Local System]
- **[TA0011 - Command and Control]**
- [T1090 - Proxy]
- [T1573.001 - Encrypted Channel: Symmetric Cryptography]
- **[TA0003 - Persistence]**
- [T1133 - External Remote Services] (Dropbear SSH)
## Functionality
### Core Capabilities
- **Distributed Scanning:** Coordinates mass DNS scans and service fingerprinting across thousands of nodes.
- **Traffic Tunneling:** Acts as a residential proxy network to relay and obfuscate malicious traffic.
- **Protobuf Communication:** Uses Protocol Buffers for C2 communication, obfuscated with XOR and Gzip (Go variant).
- **Subdomain Enumeration:** Specifically targets organizational infrastructure through ksubdomain and httpx integration in NAS builds.
### Advanced Features
- **Dual Architecture Builds:**
- **C Variant:** Lightweight build optimized for legacy MIPS/Realtek routers with limited resources.
- **Go Variant:** Feature-rich build for NAS devices capable of running internal network reconnaissance tools (fscan).
- **ScriptWork Tasking:** Allows the operator to push and execute raw Go, Java, or Python source code directly on compromised NAS devices, bypassing the need for per-target compilation.
- **Fixed-Port Persistence:** Establishes a Dropbear SSH server (Port 2332) or `gs-netcat` to ensure continued access.
## Indicators of Compromise
- **File Hashes:**
- (Specific hashes not listed in text, but identified as Linux ELF binaries)
- **Hardcoded Secret/Keys:** `sh_#@!_2024_secret`
- **Network Indicators:**
- C2/Source IP: `107[.]150[.]106[.]14`
- C2 Communication: HTTP/HTTPS using Protobuf.
- **Behavioral Indicators:**
- Inbound/Outbound traffic on Port `2332` (Dropbear SSH).
- High volume of DNS query traffic originating from the router.
- Presence of tools like `fscan`, `ksubdomain`, or `httpx` in `/tmp` or volatile memory.
## Associated Threat Actors
- **Note:** While a specific group name is not provided, the infrastructure aligns with "Operational Relay Box" (ORB) networks frequently utilized by **China-nexus espionage groups**.
## Detection Methods
- **Signature-based detection:** Monitor for the specific Dropbear configuration and the hardcoded string `sh_#@!_2024_secret`.
- **Behavioral detection:** Identify unexpected SSH services on non-standard ports (2332) and anomalous outbound scanning activity (TCP/80, TCP/443, UDP/53) coming from edge networking equipment.
- **Log Analysis:** Check for exploitation attempts related to CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837.
## Mitigation Strategies
- **Hardware Lifecycle Management:** Replace "forgotten" or legacy routers (D-Link DIR-850L and Linksys models) that are end-of-life and no longer receive security patches.
- **Patch Management:** Ensure QNAP NAS devices are updated to resolve CVE-2025-11837 in the Malware Remover tool.
- **Access Control:** Disable remote management interfaces on the WAN side of routers.
- **Network Segmentation:** Isolate IoT and NAS devices from critical internal network segments.
## Related Tools/Techniques
- **TheMoon Malware:** Similar proxy-based botnet targeting legacy Linksys/Cisco hardware.
- **ORB Networks:** Patterns of operational relay boxes described by Mandiant.
- **fscan / ksubdomain:** Common open-source reconnaissance tools integrated into the AryStinger Go build.